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SAP GRC Access Control 


Did you forget what this tool is used for? Read here. 


Access Risk Analysis (ARA) 


In this SAP GRC Access Control module, the rule matrix (ruleset) is the most important part: 
e GRACFUNC - Function 
e GRACFUNCT - Function Description Translations 
e GRACFUNCACT - Function Action Relationship 
e GRACFUNCPRM - Function Action Permission relationship 
o Where ACTIVE = X means that the row is active 


Data Browser: Table GRACFUNCPRM Select Entries 200 
O A are Qe checkTabe.. BG SFTPEO AI T Bass 


&t MANDTFUNCTID ACTION CONNECTOR SEQUENCE RESOURCEID RESOURCEEXTN FROMVAL TOVAL SEARCHTYPE ACTIVE INACTIVE 


‘800 oe DAT ACTVT 01 AND 

GI1OCLNT800 2 F_AVIK_BUK BUKRS $BUKRS AND 
800 APOL F04 GIOCLNT800 —13FEKP_BEDACIVT 01 AND 
800 APO1 F04 GIOCLNT800 4 F_BKPF_BED BRGRU AND 
800 APOL F04 GIOCLNT800 5 F_BKPF_BEK ACIVI Ot AND 
800 APo1 F04 GIOCLNT800 6 F_BKPF_BEK BRGRU AND 


N EN o OE- BKPF_BES ACIVT 01 AND 
800 APOL = 8 F BKPF_BES BRGRU AND 
800 su: _BKPF_BLA ACTVT AND 
800 F_BKPF_BLA ACTVT 01 AND 
800 APOL = 11 F_BKPF_BLA BRGRU AND 
e a Oe BKPF_BUK ACTVT 01 02 AND x 


F_BKPF_BUK BUKRS $BUKRS AND 
F_BKPF_GSB ACTVT 01 AND 


E Aa BKPF_KOA ACTVT 01 AND 
800 APO1 F-04 G10CLNT800 16 F BKPF KOA KOART K AND 


GRACSODRISKFUNC - SOD Risk Function Relationship 
GRACRULESET - Rule Set 
GRACRULESETT - Rule Set Description 
GRACORGRULE - Organization Rules 
GRACACTRULE - SOD Action Rule Detail 
GRACSODRISKT - SOD Risk Description 
GRACSODRISK - SOD Risk 
o RISKTYPE = 1: SOD, 2: Critical Action, 3: Critical Permission 
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Data Browser: Table GRACSODRISK Select Entries 
PER checktabe.. RA S FTA OG) Atay Bag 


35 


& MAN... RISKID RISKLEVEL ACTI.. BZPRC... UPDUSER UPDTIME ACTGEN PRMGEN RISKTYPE DESCN 
‘800 Foot x FIOO i 25.10.2017 12:26:22 
800 F002 x FIOO =W 25.10.2017 12:26:22 
800 F003 x FIoo =W 25.10.2017 12:26:22 
800 F004 x FIOO i 25.10.2017 12:26:22 
800 F005 1X FIOO ii 25.10.2017 12:26:22 
800 F006 1X FIOO i 25.10.2017 12:26:22 
800 F007 1X FIOO i 25.10.2017 12:26:22 
800 F008 1X FIOO = 25.10.2017 12:26:22 
800 F009 2X FIOO i 25.10.2017 12:26:22 
800 F010 2X FIOO i 25.10.2017 12:26:22 
800 F011 2X FIOO i 25.10.2017 12:26:22 
800 F012 x FIOO ii 25.10.2017 12:26:22 
800 F013 1X FIOO lhe 25.10.2017 12:26:22 


e GRACSODRISKOWN - SOD Risk Owner 

e GRACMITROLE - Role mitigating control assignment 
e GRACMITUSER - User mitigating control assignment 
e GRACCRPROFLLE - Critical Profile Rule 

e GRACCRROLE - Critical Role Rule 

e GRACBPROC - Business Process 

e GRACBPROT - Business Process Description 


SAP GRC Access Control Tables 


e GRACMGRISKD - Risk Analysis Mgmt Sum data for Batch Risk Analysis. 


e HRP5320 - Defined mitigation controls 
e HRT5320 - Defined mitigation controls 
e GRACUSERPRMVL - User Permission Violation Table 


Data Browser: Table GRACUSERPRMVL Select Entries 
D4eQG Rh AFTA Gata tT Bass 


E MANDTUSERID 


200 


XCONNECTOR SEQUENCE RISKID ACTRULEID FUNCTID CONNECTOR ACTION RESOURCEID RESOURCEEXTN FROMVAL TOVALROLEID 


800 ALEREMOTE ECC_G10_810 1 AOCT 0001 AO18 ECC_G10_810 /SAPAPO/RRP2 S_TCODE TCD ISAPAPO/RRP2 000C29F8E7DD1ED18084D04. 
800 ALEREMOTE ECC_G10_810 2 AOCT 0002 AO18 ECC_G10_810/SAPAPO/RRP5 S_TCODE TCD /SAPAPO/RRPS 000C29F8E7DD1ED18084D04. 
800  ALEREMOTE ECC_G10_810 3 AOMD 0001 AO19 ECC_G10_810 /SAPAPO/ADVM S_TCODE TCD ISAPAPO/ADVM 000C29F8E7DD1ED18084D04, 
800 ALEREMOTE ECC_G10_810 4 AOMD 0002 AO19 ECC_G10_810 /SAPAPO/DM_MAT_MCH S_TCODE TCD /SAPAPO/DM_MAT_MCH 000C29F8E7DD1ED18084D04. 
800 ALEREMOTE ECC_G10_810 5 AOMD 0003 AO19  ECC_G10_810 /SAPAPO/MC62 S TCODE TCD ISAPAPO/MC62 000C29F8E7DD1ED18084D04, 
800 ALEREMOTE ECC_G10_810 6 AOMD 0004 A019  ECC_G10_810 /SAPAPO/MC8R S_TCODE TCD /SAPAPO/MC8R. 000C29F8E7DD1ED18084D04. 
800 ALEREMOTE ECC_G10_810 7 AOMD 0005 AO19 ECC_G10 810 /SAPAPO/MC8U S TCODE TCD ISAPAPO/MC8U 000C29F8E7DD1ED18084D04. 
800 ALEREMOTE ECC_G10_810 8 AOMD 0006 AO19  ECC_G10_810 /SAPAPO/MC90 S_TCODE TCD ISAPAPO/MC90 000C29F8E7DD1ED18084D04, 
800 ALEREMOTE ECC_G10_810 9 AOMD 0008 AO19 ECC_G10_810 /SAPAPO/MODEL S_TABU_DIS ACTVT 02 000C29F8E7DD1ED18084D04. 
800 ALEREMOTE ECC_G10_810 10 AOMD 0008 AO19 ECC _G10_810 /SAPAPO/MODEL S_TABU_DIS DICBERCLS XXXX 000C29F8E7DD1ED18084D04. 
800 ALEREMOTE ECC_G10_810 11 AOMD 0008 A019 ECC_G10_810 /SAPAPO/MODEL S_TCODE TCD /SAPAPO/MODEL 000C29F8E7DD1ED18084D04. 
800 ALEREMOTE ECC_G10_810 12 AOMD 0009 A019 /SAPAPO/MSDP_ADMIN 000C29F8E7DD1ED18084D04. 


ECC_G10_810 /SAPAPO/MSDP_ADMIN S_TCODE TCD 


Emergency Access Management (EAM) 


COMPROLEID 
000C29F8E7DD1ED18084D04. 


000C29F8E7DD1ED18084D04.. 
000C29F8E7DD1ED18084D04., 


000C29F8E7DD1ED18084D04. 
000C29F8E7DD1ED18084D04. 
000C29F8E7DD1ED18084D04. 


000C29F8E7DD1ED18084D04.. 
000C29F8E7DD1ED18084D04... Z: 


000C29F8E7DD1ED18084D04. 
000C29F8E7DD1ED18084D04. 


000C29F8E7DD1ED18084D04... Z: 
000C29F8E7DD1ED18084D04.. 


PROFILEID ORGRULEID ACCONTROLID MONITOR 
Z:IDES_04 
Z:IDES_04 
Z:IDES_04 
Z:IDES_04 
Z:IDES_04 
Z:IDES_04 
Z:IDES_04 


Z:IDES_04 


In this SAP GRC Access Control module, the management of the super users or super roles is the most 


important part: 
e GRACFFLOG - Details related to Firefighter ID Log On Information 
e GRACFFREPMAPP - FFLOG and Repository Mapping for Firefighters 
e GRACACTUSAGE - Action Usage 
e GRACAUDITLOG - Security Audit Log table 
e GRACSYSTEMLOG - System Security Log table 
e GRACCHANGELOG - Data Change Log table 
e GRACREASONCOD - Master table for Reason Codes 
e GRACREASONSYS - Reason Code and System assignments 
e GRACFFCTRL - Maintain assignment of FF ID or Role to Controllers 
e GRACFFOBJECT - Maintain SPM Firefighter ID and Role details 
e GRACFFUSER - Maintain SPM Firefighter Assignment to FF ID/Roles 


Business Role Management (BRM) 


In this SAP GRC Access Control module, the roles management is the most relevant part: 


e GRACROLE - Role 

e GRACROLEAPPRYVR - Role Approver 

e GRACROLESTATUS - Role Status Table 

e GRACROLETYPE - Role Type Table 

e GRACMTH - GRC Methodology 

e GRACMTHT - GRC ERM Methodology Text 
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1 Aggiornare un conto Co.Ge. fittizio e nascondere attivit?? medi... 
1 Modificare un centro di costo ed elaborare trasferimenti dei cos... 
1 Modificare un centro di costo ed elaborare registrazioni utili no... 
1 Manipolare report CC per nascondere registrazioni errate sul gi... 
1 Aggiornare conto bancario e registrare un pagamento da esso 

1 Pagare una fattura fornitore e nasconderla mediante ammorta... 
1 Creare una fattura mediante EM ERS e nasconderla mediante a... 
1 Nascondere differenze tra versamenti e incassi in contanti 
1 Imputare costi a centri di costo non autorizzati 

1 Liquidare spese da un ordine non autorizzato 

1 Modificare tipo di attivit?? utilizzato per l'imputazione dei costi 

1 Aggiornare cespite e capitalizzare o aggiungere costi al record ... 
1 Aggiornare un cespite e manipolare l'entrata del cespite 


R 
11.02.2017 2 
11.02.2017 2 
14.02.2017 2 
11.02.2017 2 
11.02.2017 2 
11.02.2017 2 
11.02.2017 2 
14.02.2017 2 
11.02.2017 2 
11.02.2017 2 
11.02.2017 2 
11.02.2017 2 
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Access Request Management (ARQ) 


It is a component to manage the operational workflows inside the Access Control suite. This part is managed 
through the usage of Business Rule Framework BRF+ and of the work framework called MSMP - Multi Stage 
Multi Path. 


GRACREQ - Request Header 

GRACREQPROVITEM - Line Items Associated with Request 

GRACREQUSER - User Associated with Request 

GRACEUPCONFIG - End User Personalization Fields 

GRFNMWCMPATH - MSMP Path 

GRFNMWCNROUTE - MSMP Route Mapping 

GRFNMWCNSDEF - MSMP Stage Definition 

GRFNMWRTAPPR - Current approver of Access Request (GRFNMWRTSTAPPR only during runtime) 
SWWUSERWI - Task ID assigned to users 

HRUS_D2 - Delegation table 


GRC Access Control Foundation 


Some tables are shared between different modules, like the following: 


GRACCONFIG - Configuration Parameter Table 


Change View "AC Configuration settings"; Overview 
&2e New Entries [E EA e [RE 


AC Configuration settings 


Parm Group Param ID Parameter Value Priority Description 

1 Change Log ~ 1001 YES Enable Function Change Log 

1 Change Log w 1002 YES Enable Risk Change Log 

1 Change Log ~ 1003 YES Enable Organization Rule Log 

1 Change Log w 1004 YES Enable Supplementary Rule Log 
1 Change Log ~ 1005 YES Enable Critical Role Log 

1 Change Log ~ 1006 YES Enable Critical Profile Log 


GRACOWNER - Master table for Central Owner Administration 

GRACTASKEXECSTMP - Executed background jobs Table, here you can find the last date of execution of 
the synchronization jobs 

GRPCPHIO - GRC: Instances of Physical Information Objects, here you can find the information about the 
attachments to the requests 


When is it useful to use and when they aren't? 


In my opinion it's useful to use and know the tables for activities like troubleshooting and uploaded data. 


It makes sense to create alternative reports to the standard ones? It depends. It could be useful as a control 
activity of the GRC configuration or to anticipate potential problems like: 


Usage of roles without approvers in approval-based workflows 
Problems in the SoD Matric (ruleset) read here for more information on the sod matrix 
To verify the EAM configuration for the management of the super users 


Basing further processes on data extractions from the tables directly inside the GRC system is probably non the 
best solution. It's not possible to immediately guarantee, in case of update or modifications of the system, 
the original result of the extractions. 
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